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DETAILED ACTION 

Acknowledgements 

1. The following is a Final Office action in response to communications filed on 
6/7/2010. Claims 1-26 are pending. No claims have been amended. 

Response to Arguments 

2. Applicant's arguments filed 6/7/201 0 regarding the rejection of claims 1 -1 5 and 
24-26 under 35 U.S.C. 101 has been fully considered but they are not persuasive. The 
claims are not sufficiently tied to a particular machine (i.e. computer or processor). The 
rejection of claims 1-15 and 24-26 under 35 U.S.C. 101 is maintained. 

3. In response to Applicant's argument that Tschiegg fails to disclose "assessing 
the impact of the loss of said respective asset, which is located on page 5 of Applicant's 
Remarks, Examiner respectfully disagrees. Regarding Applicant's arguments against 
the references individually, one cannot show nonobviousness by attacking references 
individually where the rejections are based on combinations of references. See In re 
Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 
231 USPQ 375 (Fed. Cir. 1986). 

4. Heinrich teaches conducting for each asset, a respective risk assessment, each 
assessment comprising assessing the impact of the loss of said respective asset 
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(paragraph 0013). Applicant failed to challenge that Heinrich failed to teach the 
limitations of independent claims 1 and 16. Tschiegg is directed towards a risk 
management information interface system that creates reports and creates 
recommendations regarding segments of risk management information including risk 
analysis regarding zones where assets are located (paragraph 0009). Therefore, the 
combination of Heinrich in view of Tschiegg does teach and suggest the limitations 
provided in claims 1 and 16. 

Claim Rejections - 35 USC § 101 

5. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

6. Claims 1-15 and 24-26 are rejected under 35 U.S.C. 101 because the claimed 
invention is directed to non-statutory subject matter. 

7. Based on Supreme Court precedent and recent Federal Circuit decisions, in 
order for a method to be considered a "process" under §101, a claimed process must 
either: (1) be tied to a machine or (2) transform underlying subject matter (such as an 
article or materials) to a different state or thing. In re Bilski et al, 88 USPQ 2d 1385 
CAFC (2008). Diamond v. Diehr, 450 U.S. 175, 184 (1981); Parker v. Flook, 437 U.S. 
584, 588 n.9 (1978); Gottschalk v. Benson, 409 U.S. 63, 70 (1972). If neither of these 
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requirements is met by the claim, the method is not a patent eligible process under 
§101 and is non-statutory subject matter. 

8. Claims 1 and 24 are directed towards a method for assessing risk within an 
organization. As the claims are not sufficiently tied to an apparatus, such as a 
computer, the claimed method is non-statutory and therefore rejected under 35 U.S.C. 
101. 

9. Claims 2-14 and 24-26 are rejected for being dependent upon rejected claim 1. 

10. Whether a method appropriately includes particular machines to qualify as a 
section 101 process may not always be a straightforward inquiry. As Comiskey 
recognized, "the mere use of the machine to collect data necessary for application of 
the mental process may not make the claim patentable subject matter." In re Comiskey, 
499 F.3d 1365, 1380 (Fed. Cir. 2007), (citing In re Grams, 888 F.2d 835, 839-40 (Fed. 
Cir. 1989)). In other words, nominal or token recitations of structure in a method claim 
should not convert an otherwise ineligible claim into an eligible one. Ex parte Langemyr 
(BPAI 2008-1495, 2008). 



Claim Rejections - 35 USC § 103 
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1 1 . The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a 
person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived 
by the manner in which the invention was made. 

12. Claims 1, 6, 8, 14, 19, 21 and 23-26 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Heinrich (US 2003/0046128) in view of Tschiegg et al (US 
2003/0160818). 

13. Regarding claims 1 and 16, Heinrich teaches a computer-implemented method 
for assessing risk within an organization, comprising: 

conducting a respective impact assessment for each of said assets, each 
assessment comprising assessing the impact of the loss of said respective asset 
(paragraph 0013, regarding security risk being defined as determining the impact the 
loss of the asset would have; paragraph 0030-0037, regarding the risk assessment 
regarding evaluating the security risk for an asset); 

assessing the risk level associated with an asset (paragraph 0036); 

conducting for each asset a respective assert risk assessment, comprising 
assessing the risk level associated with said respective asset independent of the 
respective zone of said respective asset (paragraph 0037). 
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assessing risk on the basis of at least said impact assessment (paragraph 0030- 
0037, regarding the risk assessment regarding evaluating the security risk for an asset) 

Heinrich does not explicitly teach a zone risk assessment of the asset. However, 
Tschiegg teaches 

defining one or more zones, each of said one and more zones comprising an 
environment (paragraph 0009, regarding location identifiers, earthquake zones and 
flood zones); 

identifying one or more assets of said organization, each of said assets being 
located in a respective one of said zones (paragraph 0009, regarding risk management 
information within the zones, which include company assets; Figure 4. regarding the 
listed assets in the database); 

conducting for each of said zones a respective zone risk assessment, comprising 
(paragraph 0058-0069, regarding the filter function that allows for customized reporting 
about specific risk management segments); 

conducting for each asset a respective asset risk assessment (paragraph 0009- 
0010, regarding risk management and reporting functions); 

assessing risk on the basis of at least said zone risk assessment and said asset 
risk assessments (paragraph 0009-0010, regarding risk management and reporting 
functions). 
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It would have been obvious to one of ordinary skill in the art to include the 
business system of Heinrich with the ability to teach a zone risk assessment of the 
asset as taught by Tschiegg since the claimed invention is merely a combination of old 
elements, and in the combination each element merely would have performed the same 
function as it did separately, and one of ordinary skill in the art would have recognized 
that the results of the combination were predictable. 

14. Regarding claims 6 and 19, Tschiegg further teaches maintaining a register of 
said zones (paragraph 0009, regarding database of location and zone information). 

15. Regarding claims 8 and 21, Heinrich further teaches wherein each of said assets 
is information related (0049, regarding risk assessment of a computer network system). 

16. Regarding claims 14 and 23, Heinrich further teaches including determining a 
measured risk for each asset, said measured risk for a respective asset comprising the 
product of 1) an impact level determined in said impact assessment and 2) the 
maximum of an asset risk determined in said asset risk assessment and an asset risk 
determined in said zone risk assessment (paragraph 0045-0048, regarding associating 
asset risk to risk levels and conducting a risk assessment). 
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17. Regarding claim 24, Tschiegg further teaches a risk management method, 
comprising managing said risk (paragraph 0003, regarding managing risk). 

18. Regarding claim 25, Heinrich further teaches wherein said managing of said risk 
comprises: 

determining the distribution of the number of assets as a function of associated 
measured risk (paragraph 0045, regarding assigning value to each risk to calculate an 
overall risk); 

determining a maximum acceptable risk level (paragraph 0048, regarding upper 
limit of the risk severity); and 

applying one or more controls if any of said assets exceeds said maximum 
acceptable risk level (paragraph 0168, regarding implementing changes to eliminate or 
downgrade risks). 

19. Regarding claim 26, Heinrich further teaches wherein said acceptable risk level 
comprises the lower of the highest available measured risk or 100% (paragraph 0058). 
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20. Claims 2-5, 7, 9-13, 15, 20, and 22 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Heinrich (US 2003/0046128) and Tschiegg et al (US 2003/0160818) 
in further view of Lovejoy et al (US 2002/0138416). 

21. Regarding claims 2 and 17, Heinrich in view of Tschiegg teaches a method as 
claimed in claim 1 . Heinrich in view Tschiegg of does not directly teach identifying asset 
custodians. However, Lovejoy teaches identifying one or more asset custodians, each 
comprising a custodian of a respective asset, and identifying one or more of said assets 
(paragraph 0056 and 0060, regarding the category of users that inventory the assets). 

It would have been obvious to one of ordinary skill in the art to include the 
business system of Heinrich in view Tschiegg with the ability to identify asset custodians 
as taught by Lovejoy since the claimed invention is merely a combination of old 
elements, and in the combination each element merely would have performed the same 
function as it did separately, and one of ordinary skill in the art would have recognized 
that the results of the combination were predictable. 

22. Regarding claim 3, Lovejoy further teaches wherein each of said custodians is an 
employee with care-taking responsibilities (paragraph 0056 and 0060, regarding the 
category of users that inventory the assets). 
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23. Regarding claim 4, Lovejoy further teaches including maintaining a register of 
said assets (paragraph 0055, regarding the inventory of assets stored in a database). 

24. Regarding claim 5, Lovejoy further teaches wherein said register includes a 
respective owner of each of said assets (paragraph 0056 and 0060, regarding the 
category of users that inventory the assets; also see page 20 of applicant's specification 
where custodians can also be owners). 

25. Regarding claims 7 and 20, Lovejoy further teaches the register of zones as 
taught by Tschiegg including a respective custodian of each of said zones (paragraph 
0056 and 0060, regarding the category of users that inventory the assets). 

26. Regarding claim 9, Tschiegg in view of Heinrich teaches a method as claimed in 
claim 2 wherein each of said assets is information related. Lovejoy further teaches 
where each of said asset custodians is an information custodian, each comprising a 
custodian of a respective information storage device within said organization (paragraph 
0056 and 0060, regarding the category of users that inventory the assets). 

27. Regarding claim 10, Lovejoy defines custodians including users, risk assessor, 
security practitioner (physical and environmental custodian) and system administrators 
(MIS support custodian) (paragraph 0056). Lovejoy does not directly teach network 
custodians or software engineering custodians. However, the simple substitution of one 
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known element for another producing a predictable result renders the claim obvious. 
Therefore, it would have been obvious to one with ordinary skill in the art to add 
additional network custodians and software engineering custodians to the system in 
Lovejoy. 

28. Regarding claims 11 and 12, whether the zone assessment is conducted by the 
respective custodian or owner of said respective zone is representative of descriptive 
material that does not modify the functionality of the underlying method to distinguish 
the claimed invention from the prior art. In re Gulack, 703 F.2d 1381, 1385, 217 USPQ 
401, 404 (Fed. Cir. 1983). Therefore, it would have been obvious to one with ordinary 
skill in the art to have the custodian or owner of the asset conduct the zone 
assessment. 

29. Regarding claims 13 and 22, Lovejoy further teaches regarding the loss of an 
asset as equivalent to the loss of a system of which said asset is a part (paragraph 
0063, compromised assets causing a loss to the organization). 

30. Regarding claim 15, Lovejoy further teaches wherein none of said custodians is 
an owner (paragraph 0056 and 0060, regarding the category of users that inventory the 
assets). 

Conclusion 
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31 . THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

32. A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

33. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to BRANDI P. PARKER whose telephone number is (571) 

272- 9796. The examiner can normally be reached on Mon-Fri. 8-5pm. 

34. If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Lynda C. Jasmin can be reached on (571) 272-6782. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 

273- 8300. 
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35. Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for published 
applications may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through Private PAIR only. For 
more information about the PAIR system, see http://pair-direct.uspto.gov. Should you 
have questions on access to the Private PAIR system, contact the Electronic Business 
Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO 
Customer Service Representative or access to the automated information system, call 
800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/BRANDI P PARKER/ 
Examiner, Art Unit 3624 
August 18, 2010 



/Romain Jeanty/ 

Primary Examiner, Art Unit 3624 



